I wanted to take a few minutes to chat about the future audit roadmap.The release of audit-2.8.3 represents a breaking point. Its time forchanges. Some of these changes are going to modify configuration files.And new things that may not be compatible with the old will beintroduced. So, I have created a 2.8_maintenance branch on github. Thiswill be a lightly maintained branch that preserves the old way. I don'tknow if there will ever be an audit-2.8.4 release. But if there is, itwill be from this branch.

Looking towards the future, here's what to expect. The next releasewill be called audit-3.0. This is to reflect a break with the old. Thefirst new thing under development is a TLS transport mechanism forremote logging. Next, performance improvements will looked into to seeif we can get auparse running more efficiently. Also look for containersupport to land in the near future. And another big change...audispdwill be going away. Its functionality will be done by auditd directly.This will eliminate one place where events get dropped and also speedup the time between event arrival and a plugin seeing it. This will beimportant because there is a new IDS/IPS plugin that is underdevelopment. (Some of you may have seen it in action at DevConf 2018.)It will need events faster, more reliably, and a faster performingauparse library.

I expect these to roll out over several releases. I would not expectthese features to land in any stable distro. I would expect these toshow up in the development and new versions of distros because of thebreakage. I look to have all of this work completed by sometime thissummer. Who knows...maybe sooner.

Post by Steve GrubbHello,I wanted to take a few minutes to chat about the future audit roadmap.The release of audit-2.8.3 represents a breaking point ...

Just a quick note that Steve is talking about the audit userspacewhich he maintains, the work for the Linux Kernel's audit subsystem istracked via GitHub (link below). This includes both bug reports *and*new feature requests. If you would like to add to that list, feelfree to do so. If you want to help out and contribute, definitelyfeel free to do so! ;)

Post by Steve GrubbHello,I wanted to take a few minutes to chat about the future audit roadmap.The release of audit-2.8.3 represents a breaking point ...

Just a quick note that Steve is talking about the audit userspacewhich he maintains, the work for the Linux Kernel's audit subsystem istracked via GitHub (link below). This includes both bug reports *and*new feature requests. If you would like to add to that list, feelfree to do so. If you want to help out and contribute, definitelyfeel free to do so! ;)* https://github.com/linux-audit/audit-kernel/issues--paul moorewww.paul-moore.com--Linux-audit mailing listhttps://www.redhat.com/mailman/listinfo/linux-audit

Post by F RafiSo container support can be addressed by userspace changes alone Or will itrequire kernel audit subsystem updates as well?

In order to associate container identifiers with kernel generatedaudit events, kernel changes are required. You may have seendiscussion threads about this on the list, and more recently a partialRFC patchset from Richard Guy Briggs on this list as well. Of coursethere will likely be some additions to Steve's userspace tools to makesense of, and interpret, the additional container identifiers in theaudit log, but I expect the bulk of changes to happen in the kernel.

There are a handful of issues in the GitHub audit-kernel issue trackerrelated to this work.

Post by Steve GrubbHello,I wanted to take a few minutes to chat about the future audit roadmap.The release of audit-2.8.3 represents a breaking point ...

Just a quick note that Steve is talking about the audit userspacewhich he maintains, the work for the Linux Kernel's audit subsystem istracked via GitHub (link below). This includes both bug reports *and*new feature requests. If you would like to add to that list, feelfree to do so. If you want to help out and contribute, definitelyfeel free to do so! ;)* https://github.com/linux-audit/audit-kernel/issues--paul moorewww.paul-moore.com--Linux-audit mailing listhttps://www.redhat.com/mailman/listinfo/linux-audit

Post by F RafiSo container support can be addressed by userspace changes alone

Nope.

Post by F RafiOr will it require kernel audit subsystem updates as well?

The kernel does all the heavy lifting. What this is indicating is thatuser space will pick up support to use the kernel's container auditing.You may have seen a set of patches posted by Richard in the last 2weeks. That is for the kernel side. There will need to be correspondinguser space code to interface to it. This is probably going to changeevents enough that it's again a good reason to break with the old.

Post by Steve GrubbHello,I wanted to take a few minutes to chat about the future auditroadmap. The release of audit-2.8.3 represents a breakingpoint ...

Just a quick note that Steve is talking about the audit userspacewhich he maintains, the work for the Linux Kernel's audit subsystemis tracked via GitHub (link below). This includes both bug reports*and* new feature requests. If you would like to add to that list,feel free to do so. If you want to help out and contribute,definitely feel free to do so! ;)* https://github.com/linux-audit/audit-kernel/issues--paul moorewww.paul-moore.com--Linux-audit mailing listhttps://www.redhat.com/mailman/listinfo/linux-audit